Security update for SUSE Manager Server 4.0

SUSE Security Update: Security update for SUSE Manager Server 4.0
Announcement ID: SUSE-SU-2020:0671-1
Rating: moderate
References: #1083326 #1085414 #1121640 #1123274 #1137248 #1140332 #1144176 #1152673 #1152795 #1153269 #1154246 #1154590 #1154599 #1155281 #1155372 #1156751 #1157317 #1157346 #1157447 #1157700 #1157975 #1158178 #1158181 #1158283 #1158480 #1158564 #1158672 #1158697 #1158754 #1158818 #1158899 #1158943 #1159012 #1159023 #1159076 #1159184 #1159492 #1159553 #1160184 #1160940 #1161755 #1161862 #1162609 #1162683 #1164120 #1164309 #1164452 #1164649 #1164875 #1165425 #1165541 #1165927 #1166061 #1166388
Cross-References:CVE-2018-1077 CVE-2019-16769 CVE-2020-1693
Affected Products:
  • SUSE Linux Enterprise Module for SUSE Manager Server 4.0
  • SUSE Linux Enterprise Module for SUSE Manager Proxy 4.0

An update that solves three vulnerabilities and has 51 fixes is now available.

Description:


This update fixes the following issues:
branch-network-formula:

  • Update formula to include terminal naming and identification

image-sync-formula:
  • Prevent installing xdelta3 package and disable delta functionality on SLE12 branch servers (bsc#1159553)

mgr-osad:
  • Take care that osad is not disabled nor deactivated during update (bsc#1157700, bsc#1158697)

patterns-suse-manager:
  • Add recommends for virtualization-host-formula to suma_server pattern
  • Add recommends for virtualization-host-formula to retail

prometheus-formula:
  • Bugfix: disabled fields not enabled when checkbox is checked

pxe-default-image-sle15:
  • Adapt to new kiwi version to fix pre registration in the bare-metal image (bsc#1153269)

pxe-formula:
  • Add support for new features in terminal naming
  • Remove branch_id from pxe form, moved to branch-network form

py26-compat-salt:
  • Replace pycrypto with M2Crypto as dependency for SLE15+

python-susemanager-retail:
  • Add support for terminal naming block
  • Add delta support for SLE15 tar.xz bundles

redstone-xmlrpc:
  • Disable external entity parsing (1790381, bsc#1164120, CVE-2020-1693)
  • Do not download external entities (1555429, bsc#1085414, CVE-2018-1077)

salt-netapi-client:
  • Version 0.17.0 See: https://github.com/SUSE/salt-netapi-client/releases/tag/v0.17.0

spacecmd:
  • Bugfix: attempt to purge SSM when it is empty (bsc#1155372)

spacewalk-admin:
  • Spell correctly "successful" and "successfully"

spacewalk-backend:
  • Fix mgrcfg-client python3 breakage (bsc#1164309)
  • Update doc link to point to new documentation server
  • Prevent timestamp format exception on mgr-inter-sync while processing comps (bsc#1157346)
  • When downloading repo metadata, don't add "/" to the repo url if it already ends with one (bsc#1158899)
  • Use HTTP proxy settings when fetching the mirrorlist on spacewalk-repo-sync (bsc#1159076)
  • Enhance suseProducts via ISS to fix SP migration on slave server (bsc#1159184)
  • Prevent a traceback when reposyncing openSUSE 15.1 (bsc#1158672)
  • Close config files after reading them (bsc#1158283)
  • Associate VMs and systems with the same machine ID at bootstrap (bsc#1144176)

spacewalk-certs-tools:
  • Add 'start_event_grains' minion option to configfile when generated by bootstrap script
  • Forbid multiple activation keys for salt minions during bootstrap (bsc#1164452)
  • Add additional minion options to configfile when generated by bootstrap script (bsc#1159492)
  • Change the order to check the version correctly for RES (bsc#1152795)

spacewalk-client-tools:
  • Spell correctly "successful" and "successfully"

system-lock-formula:
  • Clarified terms along documentation and product (bsc#1166061)

spacewalk-java:
  • Feat: enable Salt system lock when CaaSP node is onboarded and add depedency to 'system-lock-formula' (bsc#1165541)
  • Support non discoverable fqdns via custom grain (bsc#1155281)
  • Handle the non-existent requested grains gracefully
  • Get the machineid grain from the minion startup event
  • Use term 'patch' instead of 'errata' (bsc#1164649)
  • Enable provisioning API with salt and bootstrap entitled systems
  • Fix a problem with removing the monitoring entitlement from a system
  • Improve performance when adding systems to system groups (bsc#1158754)
  • Migrate pillar and formula data on minion id change (bsc#1161755)
  • Change doc links pointing to new documentation server
  • Call saltutil.sync_all before calling highstate (bsc#1152673)
  • Exclude base products from PAYG (Pay-As-You-Go) instances when doing subscription matching
  • Show additional headers and dependencies for deb packages
  • Show adequate message on saving formulas that change only pillar data
  • Fix mgr-sync add channel when fromdir is configured (bsc#1160184)
  • Handle not found re-activation key (bsc#1159012)
  • Write a list of formulas sorted by execution order (bsc#1083326)
  • Use channel name from product tree instead of constructing it (bsc#1157317)
  • Read the subscriptions from the output instead of input (bsc#1140332)
  • Rename rhncfg-actions to mgr-cfg-actions in UI advice (bsc#1137248)
  • Fix container image import (bsc#1154246)
  • Add missing permission checks on formula api (bsc#1123274)
  • Generate metadata with empty vendor (bsc#1158480)
  • Remove undefined variable from redhat_register snippet
  • Add a method in API to check if the provided session key is a valid one.
  • Associate VMs and systems with the same machine ID at bootstrap (bsc#1144176)
  • Fix minion id when applying engine-events state (bsc#1158181)
  • Remove unnecessary WARN log entries from Kubernetes integration
  • Fix for pillar not being refreshed when CaaSP pattern is detected upon software profile update (bsc#1166061)

spacewalk-search:
  • Make rhn-search log to correct file (bsc#1156751)

spacewalk-setup:
  • Spell correctly "successful" and "successfully"
  • create AJP connector for tomcat if it does not exist (bsc#1165927, bsc#1166388)

spacewalk-utils:
  • Spell "successfully" correctly

spacewalk-web:
  • Don't validate mandatory fields that are not visible (bsc#1158943)
  • Fix count of changes to build (bsc#1160940)
  • Report merge_subscriptions message in a readable way (bsc#1140332)
  • Fix ordering by date (bsc#1158818)

subscription-matcher:
  • Add missing library for SLE15 SP2 (slf4j-log4j12)
  • Make the code usable with Math3 on SLES
  • Use log4j12 package on newer SLE versions
  • Aggregate stackable subscriptions with same parameters
  • Implement new "swap move" used in optaplanner (bsc#1140332)
  • Enable aarch64 builds, except for SLE

susemanager:
  • Add missing python libraries to RES8/RHEL8/CentOS 8 boostrap repos (bsc#1164875)
  • Add bootstrap-repo data for OES 2018 SP2 (bsc#1161862)
  • Add bootstrap-repo data for SLE15 SP2 Family
  • Fix documentation URL in installer (bsc#1154590)
  • Update requirements to match documented values (bsc#1154599)

susemanager-doc-indexes:
  • Adding Additional FQDNS for Proxies with Salt
  • Reference guide review and update moving content into tabular format
  • Autogenerate pdf index from antora html nav lists
  • Documentation needs to address using RHEL8 in the correct way (bsc#1159023)
  • Traditional clients bootstrap, the example applies to SLES ES 7 only (bsc#1158564)
  • Remove auditlog-keeper from list
  • Removed duplicate client requirements entries
  • Fix missing spaces throughout docs
  • Added the complete path for using manager-setup
  • Fix typo in vhm-kubernetes
  • Cleaned up client registration documents
  • Improved ubuntu instructions
  • Explain how to compose a DSN string for monitoring
  • Added publishing dates to individual book intros
  • Updated common spacewalk-common-channels usage
  • Adding Additional FQDNS for Proxies with Salt
  • Reference guide review and update moving content into tabular format
  • Autogenerate pdf index from antora html nav lists
  • Documentation needs to address using RHEL8 in the correct way (bsc#1159023)
  • Traditional clients bootstrap, the example applies to SLES ES 7 only (bsc#1158564)
  • Remove auditlog-keeper from list
  • Removed duplicate client requirements entries
  • Fix missing spaces throughout docs
  • Added the complete path for using manager-setup
  • Fix typo in vhm-kubernetes
  • Cleaned up client registration documents
  • Improved ubuntu instructions
  • Explain how to compose a DSN string for monitoring
  • Added publishing dates to individual book intros
  • Updated common spacewalk-common-channels usage

susemanager-docs_en:
  • Adding Additional FQDNS for Proxies with Salt
  • Reference guide review and update moving content into tabular format
  • Autogenerate pdf index from antora html nav lists
  • Documentation needs to address using RHEL8 in the correct way (bsc#1159023)
  • Traditional clients bootstrap, the example applies to SLES ES 7 only (bsc#1158564)
  • Remove auditlog-keeper from list
  • Removed duplicate client requirements entries
  • Fix missing spaces throughout docs
  • Added the complete path for using manager-setup
  • Fix typo in vhm-kubernetes
  • Cleaned up client registration documents
  • Improved ubuntu instructions
  • Explain how to compose a DSN string for monitoring
  • Added publishing dates to individual book intros
  • Updated common spacewalk-common-channels usage
  • Adding Additional FQDNS for Proxies with Salt
  • Reference guide review and update moving content into tabular format
  • Autogenerate pdf index from antora html nav lists
  • Documentation needs to address using RHEL8 in the correct way (bsc#1159023)
  • Traditional clients bootstrap, the example applies to SLES ES 7 only (bsc#1158564)
  • Remove auditlog-keeper from list
  • Removed duplicate client requirements entries
  • Fix missing spaces throughout docs
  • Added the complete path for using manager-setup
  • Fix typo in vhm-kubernetes
  • Cleaned up client registration documents
  • Improved ubuntu instructions
  • Explain how to compose a DSN string for monitoring
  • Added publishing dates to individual book intros
  • Updated common spacewalk-common-channels usage

susemanager-schema:
  • Add new 'payg' attribute to rhnServer table
  • Enable re-activation keys for salt managed systems (bsc#1159012)
  • Generate metadata with empty vendor (bsc#1158480)
  • Fix rhnActionVirtDelete when migrating from 3.2 to 4.0 (bsc#1158178)

susemanager-sls:
  • Install dmidecode before HW profile update when missing
  • Add mgr_start_event_grains.sls to update minion config
  • Add 'product' custom state module to handle installation of SUSE products at client side (bsc#1157447)
  • Support reading of pillar data for minions from multiple files (bsc#1158754)
  • Do not workaround util.syncmodules for SSH minions (bsc#1162609)
  • Force to run util.synccustomall when triggering action chains on SSH minions (bsc#1162683).
  • Add custom 'is_payg_instance' grain when instance is PAYG and not BYOS.
  • Adapt sls file for pre-downloading in Ubuntu minions
  • Sort formulas by execution order (bsc#1083326)
  • Split remove_traditional_stack into two parts. One for all systems and another for clients not being a Uyuni Server or Proxy (bsc#1121640)
  • Change the order to check the version correctly for RES (bsc#1152795)
  • Do not break Servers registering to a Server
  • Remove the virt-poller cache when applying Virtualization entitlement
  • Force HTTP request timeout on public cloud grain (bsc#1157975)

susemanager-sync-data:
  • Add OES 2018 SP2 (bsc#1161862)
  • Rename RHEL 8 Base product
  • Change channel family name according to SCC data

How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the patch using either zypper patch or YaST Online Update. 4. Upgrade the database schema: spacewalk-schema-upgrade 5. Start the Spacewalk service: spacewalk-service start

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Module for SUSE Manager Server 4.0:
    zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.0-2020-671=1
  • SUSE Linux Enterprise Module for SUSE Manager Proxy 4.0:
    zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.0-2020-671=1

Package List:

  • SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (ppc64le s390x x86_64):
    • patterns-suma_retail-4.0-9.10.2
    • patterns-suma_server-4.0-9.10.2
    • susemanager-4.0.22-3.20.3
    • susemanager-tools-4.0.22-3.20.3
  • SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (noarch):
    • branch-network-formula-0.1.1580471316.1839544-3.10.2
    • image-sync-formula-0.1.1579102150.4716559-3.11.2
    • mgr-osa-dispatcher-4.0.11-3.9.2
    • prometheus-formula-0.1-4.7.2
    • pxe-default-image-sle15-4.0.1-20200305173027
    • pxe-formula-0.1.1580384994.6076a7e-3.11.2
    • py26-compat-salt-2016.11.10-10.11.2
    • python3-mgr-osa-common-4.0.11-3.9.2
    • python3-mgr-osa-dispatcher-4.0.11-3.9.2
    • python3-spacewalk-backend-libs-4.0.30-3.23.3
    • python3-spacewalk-certs-tools-4.0.15-3.15.2
    • python3-spacewalk-client-tools-4.0.12-3.13.2
    • python3-susemanager-retail-1.0.1580471316.1839544-3.13.2
    • redstone-xmlrpc-1.1_20071120-0.11.3.2
    • salt-netapi-client-0.17.0-4.3.2
    • spacecmd-4.0.18-3.13.2
    • spacewalk-admin-4.0.9-3.6.2
    • spacewalk-backend-4.0.30-3.23.3
    • spacewalk-backend-app-4.0.30-3.23.3
    • spacewalk-backend-applet-4.0.30-3.23.3
    • spacewalk-backend-config-files-4.0.30-3.23.3
    • spacewalk-backend-config-files-common-4.0.30-3.23.3
    • spacewalk-backend-config-files-tool-4.0.30-3.23.3
    • spacewalk-backend-iss-4.0.30-3.23.3
    • spacewalk-backend-iss-export-4.0.30-3.23.3
    • spacewalk-backend-package-push-server-4.0.30-3.23.3
    • spacewalk-backend-server-4.0.30-3.23.3
    • spacewalk-backend-sql-4.0.30-3.23.3
    • spacewalk-backend-sql-postgresql-4.0.30-3.23.3
    • spacewalk-backend-tools-4.0.30-3.23.3
    • spacewalk-backend-xml-export-libs-4.0.30-3.23.3
    • spacewalk-backend-xmlrpc-4.0.30-3.23.3
    • spacewalk-base-4.0.19-3.18.3
    • spacewalk-base-minimal-4.0.19-3.18.3
    • spacewalk-base-minimal-config-4.0.19-3.18.3
    • spacewalk-certs-tools-4.0.15-3.15.2
    • spacewalk-client-tools-4.0.12-3.13.2
    • spacewalk-html-4.0.19-3.18.3
    • spacewalk-java-4.0.31-3.23.1
    • spacewalk-java-config-4.0.31-3.23.1
    • spacewalk-java-lib-4.0.31-3.23.1
    • spacewalk-java-postgresql-4.0.31-3.23.1
    • spacewalk-search-4.0.9-3.11.2
    • spacewalk-setup-4.0.13-3.11.1
    • spacewalk-taskomatic-4.0.31-3.23.1
    • spacewalk-utils-4.0.16-3.15.2
    • subscription-matcher-0.25-3.3.2
    • susemanager-doc-indexes-4.0-10.18.2
    • susemanager-docs_en-4.0-10.18.2
    • susemanager-docs_en-pdf-4.0-10.18.2
    • susemanager-retail-tools-1.0.1580471316.1839544-3.13.2
    • susemanager-schema-4.0.18-3.17.2
    • susemanager-sls-4.0.24-3.17.2
    • susemanager-sync-data-4.0.16-3.15.2
    • susemanager-web-libs-4.0.19-3.18.3
    • system-lock-formula-0.2-4.5.1
    • virtualization-host-formula-0.2-4.3.2
  • SUSE Linux Enterprise Module for SUSE Manager Proxy 4.0 (ppc64le s390x x86_64):
    • patterns-suma_proxy-4.0-9.10.2
  • SUSE Linux Enterprise Module for SUSE Manager Proxy 4.0 (noarch):
    • mgr-osad-4.0.11-3.9.2
    • python3-mgr-osa-common-4.0.11-3.9.2
    • python3-mgr-osad-4.0.11-3.9.2
    • python3-spacewalk-backend-libs-4.0.30-3.23.3
    • python3-spacewalk-certs-tools-4.0.15-3.15.2
    • python3-spacewalk-check-4.0.12-3.13.2
    • python3-spacewalk-client-setup-4.0.12-3.13.2
    • python3-spacewalk-client-tools-4.0.12-3.13.2
    • spacecmd-4.0.18-3.13.2
    • spacewalk-backend-4.0.30-3.23.3
    • spacewalk-base-minimal-4.0.19-3.18.3
    • spacewalk-base-minimal-config-4.0.19-3.18.3
    • spacewalk-certs-tools-4.0.15-3.15.2
    • spacewalk-check-4.0.12-3.13.2
    • spacewalk-client-setup-4.0.12-3.13.2
    • spacewalk-client-tools-4.0.12-3.13.2
    • supportutils-plugin-susemanager-client-4.0.3-3.3.2
    • supportutils-plugin-susemanager-proxy-4.0.3-3.3.2

References: